The Zero Day Initiative is setup to pay security researchers for their exploits. Recently, they announced their intentions to release general info about exploits that have gone unpatched for an extended period of time in the hopes of putting pressure on the vendor. Here's some more info:

Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities.

The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure.

By paying authors for zero day exploits I assume they are buying the intellectual property behind it i.e. discovery and development. This might seem attractive to the writers for exploits but I fear it would tie their hands when it comes to full public disclosure. I have no problems with security researchers being rewarded for their work but isn't this tying in the latest exploit detection/protection to a single vendor and a single product?

I think this is great, because it raises awareness on how slow the vendors are to release security patches that the public doesn't know about. Also, several companies pay for exploits not just tipping point, so its not really vendor specific, however I don't know whats to stop a researcher for selling his work to multiple vendors. I think vendors should get between 3-6 months to patch a critical vulnerability depending on how much code they have to review. Waiting several years like MS did with some of the PNG vulnerabilities so pathetic it should be illegal.